A new ransomware strain named Frag ransomware has been discovered during the series of cyberattacks involving exploiting a vulnerability in Veeam backup servers, tracked as CVE-2024-40711
This newly observed ransomware, deployed by a threat group tracked as STAC 5881, has a playbook with novel tactics. In previous instances, the same threat group had used other ransomware strains, such as Akira and Fog, but Frag marks a unique addition to their arsenal.
Frag ransomware is command-line-driven, with attackers specifying parameters to control the percentage of each file to be encrypted. This flexibility allows selective encryption, possibly to evade detection or prolong the victim’s attempt to recover files.
Once encryption is completed, affected files are renamed with a .frag extension. This ransomware, like Akira, also exploits compromised VPN appliances to gain access and leverages Veeam vulnerabilities to create administrator accounts on target systems, such as “point” and, in recent cases, an additional “point2” account.
Researchers explain that Frag’s tactics mirror those seen in Akira ransomware, suggesting a possible link between the groups or shared techniques. Agger Labs has also noted these similarities, indicating that Frag might signal the rise of a new, sophisticated ransomware player.
This research was documented by researchers from Sophos
